Skip to main content

The Instance Metadata Service should not be available through IMDSv1



Amazon EC2 Instance Metadata Service is an on-instance component that EC2 instances use to access instance metadata.

There are two versions of the protocol that allow to access IMDS: IMDSv1 and IMDSv2. IMDSv1 should be disabled, as it has not been hardened against accidental exposure on the public internet. IMDSv2 introduced session based authentication. An app can start a session by sending an HTTP PUT request to IMDSv2. This protects against exploitation using SSRF/XXE vulnerabilities present inside the EC2 instance.


Potential data exposureVisible in logsUser interaction requiredPrivileges required

An attacker could access Instance Metadata to breach applications in EC2 instances.

Remediation guidelines

There are two possibilities for remediation:

  1. Disable IMDS entirely if it's not needed.
  2. Transition from IMDSv1 to IMDSv2 by setting the http_tokens variable to "required" in the metadata_options block in the IaC configuration.


How can I help you ?